Authentication tools provide the ability to determine the identity of a party to an interaction and to ensure that a message came from who it claims to have come from. Authentication can be used as the basis for authorization (determining whether a privilege will be granted to a particular user or process). For example, when a bank client wishes to access a bank account from an automated teller machine (ATM), authentication is used to determine the client's authorization to access a particular bank account.
An authentication factor is a piece of information used to authenticate or verify a person's identity for security purposes. Authentication factors can be classified as something a user is or does, something a user knows, and something a user has. For example, something a user is or does includes a fingerprint or retinal pattern, DNA sequence, signature or voice recognition. Something a user knows may be a password, pass phrase, or personal identification number (PIN). Something a user has may be an ID card, security token, software token, phone, or mobile phone.
Traditional authentication schemes use a one-factor system that authenticates users using only, for example, something a user knows, such as a username and password pair. This one-factor system provides minimal security, because many user passwords are very easy to guess.
Two-factor authentication (TFA) is a system wherein two different factors are used to for authentication. Using more than one factor is sometimes called strong authentication. Using two factors as opposed to one delivers a higher level of authentication assurance. For example, a first authentication factor may be a user's username and password already registered at a third party website, for example, www.bank.com. The password provides the something you know component. A second factor may be something the user has. In the most common implementations of two-factor authentication, the something you have component may be a small security token. These tokens can take many form factors, including but not limited to key rings and credit card-sized cards. A security token card is a compact electronic device which displays a number on a small screen. With a security token card, a user will still enter their username and password at sign-in, but in addition to that, a user will also enter a 6-digit random numeric code that appears on their token. By entering this number into the system when a user attempts to authenticate (login), a user proves that that he/she is in possession of the card.
Implementation of two-factor authentication may include one-time passwords (OTP). Using one-time passwords require a user to generate and use a different OTP each time a user attempts a login. Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. The use of one-time passwords make it difficult for passwords to be sniffed and stolen and then re-used. By constantly altering the password, the risk of unauthorized access can be greatly reduced. For example, a number displayed on a small token card can change frequently, usually every 30 or 60 seconds. The system which a user is authenticating to knows the number which should be on the small token card. If the numbers match and a user's password is correct, a user is authenticated.
There are basically three types of one-time passwords: event-based OTP, time-based OTP, and challenge-based OTP. Event-based security tokens generate a new code whenever a button is pressed on the token. At each authentication, a validation server ticks onto the next code in the sequence and a user is directed to press a button on the security token to get a new code. If the code entered matches the code on the server, authentication is granted. The server and the token both started with the same ‘seed’ or ‘shared secret’, from which the subsequent codes are generated, and the button presses are presumably synchronized.
Event-based tokens are less secure than time-based tokens, as the codes they generate are valid until they are used. If a hacker acquires a code from an event-based token, and also has the victim's password, the hacker has unauthorized access to the victim's resources until the victim attempts to use the code, or the hacker logs out. An improvement over event-based OTP scheme is the time-based password scheme. Time-based passwords are based on the current time and a valid for a short period. The security code generated is usually a random number based on a shared seed (shared secret information) with a validation server. At regular time intervals, for example, 30 or 60 seconds, the token uses an algorithm that is generally unique to each token, to generate a new security code based on the time. The functionality of this system depends on the accuracy and synchronization of the clocks in the token and the validation server, as well as a common random number seed. As with the event-based tokens, this code is entered alongside a password to gain authentication.